Recovering a
system infected with malware, spyware, viruses, scareware, and other issues

Which is better and more cost effective for the client -
cleaning up a virus / malware infection or wiping out the system
and rebuilding it from scratch? If you follow any of the current
computer industry news, you've no doubt read about all kinds of
nasty software (viruses, Trojans, keyloggers, scareware, PUPs,
…) which I'll collectively refer to as "Malware" for Malicious
Software. When faced with infections, often times people resort
to online cleaning services, their own malware protection vendor
of choice, a local computer guru, their computer store of
choice, … and say 'Fix my PC!' Malware has become so pervasive and alters so many parts of
the system and hides itself in so many places, often times it is
more cost effective to completely wipe the system and reinstall
everything from scratch. Sure, you can run automated programs
that try to get rid of all of it. However ...

When cleaning, the biggest problem is not ever being able to
100% guarantee that there aren't remnants of the malware still
present and waiting to re-infect the system. It doesn't matter
how good or how updated your Anti Virus / Anti Spyware / Anti
Malware program is, or how updated the definitions are -- it is
obsolete. I've said that before, but now I'm going to PROVE it!

To help prove the point, I'm going to create a
fictions anti-malware product and we're going to say that whatever
you use is that good. Soussan's AntiMal 3000 (SAM3K) is its name,
and it has sensors planted all over the internet such that no
malware in any form can exist for more than 2 minutes without my new
product detecting, categorizing, and creating signatures for it.
Theses new signatures are distributed to every system that runs
SAM3K every hour, so that on average your definitions are at most 30
minutes old.

Malware signature follow the "Faberge Organics Shampoo"
distribution model -- your system gets and update, and tells two
nearby systems of the updates, and they tell to systems, and so on
and so on. This distributes the update load and prevents the Soussan
Antimalware Servers from bogging down updating all those nicely
protected clients and servers all over the world. These updates are
encrypted with such a world class algorithm that no malware can
possibly break into its encryptions.

Pretty cool product, isn't it!

As good as this is, in the average 30 minute old
scenario there are 120 newly created programs that can infect your
system and not be detected by SAM3K. In fact, since you started
reading this article 4 new malicious programs are now on the net
and infecting computers.

Read that again and think about it for a minute: 4
new malicious programs every minute. At the end I'll go through the
math to substantiate that number.

How about some good news?

Yes it is bad. But the good news is that much of today's
malware, once installed, attempts to install other bits of malware as
well. So while the initial "grappling hook" that got into your PC might
not be detected, chances are that some of that malware's buddies that he
is downloading and installing is detected. If you are sitting there
doing nothing special and getting alerts from your anti-malware software
that says it blocked an infection, chances are pretty good you are
infected with something that your anti-malware can't see but you are
watching it catch other bits of malware that are in its database.

I'm infected - now what?

I'm going to throw a thought out there which I
expect will stir up some controversy - it is no longer cost
effective to attempt to clean a system from malware. The best path
for a system that is infected that you need to use reliably is to
take your data off, wipe the hard drive completely clean, and
reinstall the operating system and all your programs from known good
media. Then put your data back on.

Take your typical ½ terabyte drive. Fill it to 1/3,
so 500/3 = 166 GB of data. On a Core2 Duo I've watched scanners take
more than an hour to check every file. Lets say the scan found some
malware and cleaned it. What are the chances, given the 4 new bits
of malware created every minute, that some other malware is still on
the system? And even if it was completely and truly cleaned, what
about any latent damage that wasn't fixed when the malware was
removed? Your end result might very well be a system that is clean
but exhibits other issues that you'll never be able to explain or
fix. Or worse, you think it is clean but a lurking in the shadows keystroke logger
is running and sending your bank login to a bad person.

Remember, no matter how good a cleaning product you
have, there is lots of malware that it won't detect and more of it
every minute. Even if you clean your system with multiple cleaning
products and they all say your system is fine, are you willing to
trust logging into your bank account, paypal account, or credit card
company's on-line account and feel safe that you haven't just handed
your account information over to someone in China, Romania, or some
other country?

So after the hour of automated scanning and
cleaning, you still can't totally trust your system.

Teach your users -- family, friends, employees --
how to be safe online. How to recognize a fake message from a real
one. How to ignore greeting cards, notices from your bank saying you
need to log in and change your password, pop-ups from fake
applications saying you are infected and we'll clean you for free,
and stay off the porn sites!

What is your best, most cost
effective recovery strategy?

Start with a known good system setup the way you
like it, then get yourself a good image based backup. External
terabyte sized USB drives are $100, store your image and another
copy of some important files there. Got malware? Sigh - copy your
data off, restore the image, and put your data back on.

That or be prepared to reinstall everything. An
operating system can be 1/2 hour if it is a single CD image from a
manufacturer or a multiple-hour thing -- I'm holding a 10 CD restore
set of discs for an HP Pavilion a32n that took 2.5 hours
to feed in all the disks.

Then you've got all the security packs, patches, and
other system updates. Another half hour or more depending on your
internet speed.

Then all the driver updates for hardware installed
since then.

Then all your application software. Do you even have
it all? Do you know where it is? Do you have any install codes you
might need? Are you going to have to call the manufacturer to get
your license / install count reset on any of these?

Then you have to reconfigure your system -- how do
you connect to email? If to a server and you use Outlook, do you
know your settings? Your password? What server to connect to? What
is your user name?

Do you have a palm? Or some other PDA that syncs
with your contact information? You'll have to setup that for
synchronization as well.

Which is easier -- doing all that, or restoring from
an image?

Even with the image based backup you'll have to both
save off and then restore your data. Plus, any security updates,
patches, drivers, etc. that were done since the image was taken will
also need to be downloaded and re-applied. But I'll bet that is a
whole lot easier and straightforward than all the steps listed for
when you don't have an image backup.

------

If you found this helpful (or not),
please send me a brief email -- one line will more than do. If I see people
need, want, and / or use this kind of information that will encourage me to keep
creating this kind of content. Whereas if I never hear from anyone, then why
bother?